RE: Canonicalization of <SignedInfo> for Reference Validation from ZOHAR,ILAN (HP-Cupertino,ex1) on 2001-07-06 (w3c-ietf-xmldsig@w3.org from July to September 2001)

From: ZOHAR,ILAN (HP-Cupertino,ex1) <ilan_zohar@hp.com>
Date: Fri, 6 Jul 2001 10:42:31 -0700
To: "'Dournaee, Blake'" <bdournaee@rsasecurity.com>
Cc: w3c-ietf-xmldsig@w3.org, "'Joseph M. Reagle Jr.'" <reagle@w3.org>
Message-ID: <877AC5B5F768D511A51600A0C9F48418BE8DEE@xcup01.cup.hp.com>
Blake,

I would tend to define a well defined transformation could be defined as a
'stateless' transformation, that is the output is a function of the given
input and nothing else (which is not in the function definition itself). 
It should therefor be unalterable during the time , as there are no
additions which are beyond the immediate control of the transformation ,
such as a memory someone else may change (e.g. dereferencing a URL).

Ilan Zohar
Hewlett Packard

-----Original Message-----
From: Dournaee, Blake [mailto:bdournaee@rsasecurity.com]
Sent: Thursday, July 05, 2001 8:00 PM
To: 'John Boyer'
Cc: w3c-ietf-xmldsig@w3.org; 'Joseph M. Reagle Jr.'
Subject: RE: Canonicalization of <SignedInfo> for Reference Validation


John,

Thank you for your further clarification.

I am inferring (from your example below) that well-defined transformation
algorithms don't violate the "what you see is what you sign" rule simply
because their behavior is open and known? Is this correct?

How do we draw the "line in the sand" for transformation algorithms that
preserve the wysiwys (What you see is what you sign) property. For example,
it is easy to argue for pervasive transformation algorithms like Base64
Encoding or ZIP compression, but what about lesser known algorithms. What if
someone decides to compress something with ARC? What about a proprietary
compression or encoding scheme with a closed source?

It's clear to me that an XSLT transform that deletes all element content in
an XML Document would clearly violate wysiwys, but is there really a good
way to measure this property?

In a strict sense, Base-64 encoding seems to violate wysiwys: For example,
in a courtroom if someone asks to see the document that was signed and a
Base-64 encoded blob is shown to the signer, it will be difficult for that
person to say: "Yes this is the document that I signed", because in reality
they saw something completely different when the signature operation
happened.

I'm guessing that all of this was hashed out some time ago and I probably
came a little late for this discussion. Any thoughts or pointers to previous
discussion on this would be most helpful.

Kind Regards,

Blake Dournaee
Toolkit Applications Engineer
RSA Security
 
"The only thing I know is that I know nothing" - Socrates
 
 


-----Original Message-----
From: John Boyer [mailto:JBoyer@PureEdge.com]
Sent: Thursday, July 05, 2001 2:31 PM
To: Dournaee, Blake; Joseph M. Reagle Jr.
Cc: w3c-ietf-xmldsig@w3.org
Subject: RE: Canonicalization of <SignedInfo> for Reference Validation




Hi Blake,

<blake>
On a related note, it seems like encoding transforms (such as Base64 or
compression or anything that significantly permutes the input data)
would
violate the "See what you sign" rule.
</blake>

<john>
A transforms such as base64, compression, etc. do not violate "What you
'see' is what you sign?", provided that the transformation algorithms
follow well-documented public standards.

For example, when you sign the binary of a jpeg image, are you signing
what you see?  No you're signing highly compressed (possibly lossy) data
that corresponds to a bitmap image via a well-known public algorithm, so
we accept it.  By comparison, signing a base-64 encoding of a jpeg is
peanuts.

Cheers,
John Boyer
Senior Product Architect, Software Development
Internet Commerce System (ICS) Team
PureEdge Solutions Inc.
Trusted Digital Relationships
v: 250-708-8047  f: 250-708-8010
1-888-517-2675   http://www.PureEdge.com <http://www.pureedge.com/>
</john>




-----Original Message-----
From: Joseph M. Reagle Jr. [mailto:reagle@w3.org]
Sent: Thursday, July 05, 2001 11:36 AM
To: Dournaee, Blake
Cc: Dsig (E-mail)
Subject: Re: Canonicalization of <SignedInfo> for Reference Validation


At 14:10 7/5/2001, Dournaee, Blake wrote:
>I've been thinking about Section 3.2.1: Reference Validation and am not
>quite convinced that there is a real security reason for canonicalizing
><SignedInfo> for Reference Validation.

Hi Blake,

You're right, for Canonical XML there isn't much of a reason. *But*
since
other canonicalizations can be used, in order to satisfy the "see what
you
sign" (and its sister maxims) you should reference validate (see) what
was
signed (canonical form.) An area where this might be important is where
a
canonicalization algorithm rewrote URIs. Even something as innocuous as
absolutizing relative URIs (which was a point of debate with respect to
namespaces) could change what it is your signing.

Canonical XML doesn't make any such changes, and one could optimize
appropriately, but since the specification is generally written from an
algorithm independent point of view it includes that processing/warning.


--
Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Friday, 6 July 2001 13:42:36 UTC